The mod_proxy Cookbook

Transcription

1 The mod_proxy Cookbook A collection of proxy recipes to suit your discerning palate Daniel Ruggeri

2 Who is This Guy? About Daniel Ruggeri Infrastructure guy with a love for code DRuggeri <at> apache.org Standard Disclaimer I'm speaking personally and not on behalf of my employer. The examples and comments are my personal opinions and should not be considered the official practices or positions of MasterCard.

3 Between You and Lunch About this presentation Not just mod_proxy Know thine application Warning eye charts ahead! Examples may be hard to read Included for completeness Download this presentation!

4 What's New and Hot? Embers - Ed Suominen - CC BY-NC

5 Newness - websockets WebSocket (RFC6455) support Full duplex socket Upgraded connection via HTTP/1.1 LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ProxyPass /ws2/ ws://echo.websocket.org/

6 Newness - UDS Unix Domain Socket Local connection only A socket without all that TCP stuff Pipe separator ProxyPass / unix:/var/run/superapp.sock

7 Newness - mod_proxy_express Express Mass name-based, switch-like proxying Target server selection is driven by DBM file DBM file: login.homeawayfromhome.com Config file: ProxyExpressEnable on ProxyExpressDBMFile /path/to/mapfile

8 One done - Daniel Kulinski - CC BY-NC-SA

9 How to Be a Good Proxy Connection Marshaling/Protocol Enforcement Load Balancing/Session Stickiness Connection Pooling/TCP and SSL Offload Failover/Health Monitoring Dynamic Modification Traffic shaping/caching/compression Attack Mitigation (Security)

10 Connection Marshaling/Protocol Enforcement Dalian Traffic Cops 06 - SnoShuu - CC BY-NC-ND

11 Playing Traffic Cop Separates clients and servers The difference between forward and reverse proxy What does the client know? Forward proxy mod_proxy_connect for SSL Reverse proxy uses mod_proxy_(ajp http ftp scgi fcgi wstunnel) mod_ssl and SSLProxyEngine for SSL

12 Forward Proxy Example WARNING: Do not proceed until you know how to lock this down! LoadModule proxy_connect_module modules/mod_proxy_connect.so <VirtualHost :8888> ProxyRequests On <Proxy *> Require ip </Proxy> </VirtualHost>

13 Reverse Proxy Examples In a Location block <Location /application> ProxyPass </Location> Standalone ProxyPass directive ProxyPass /application ProxyPassReverse /application

14 Reverse Proxy Examples As a ProxyPassMatch ProxyPassMatch /application/.*.do In the Rewrite engine RewriteCond %{HTTP_COOKIE} TOP_SECRET_ACCESS RewriteRule ^/admin/(.*) [P]

15 Reverse Proxy Examples As a Balancer <Proxy balancer://mycluster> Balancer BalancerMember route=mercury BalancerMember route=venus ProxySet lbmethod=byrequests nonce=none stickysession=jsessionid </Proxy> Workers ProxyPass /myapp/ balancer://mycluster/myapp/

16 Reverse Proxy Examples As a DB (2.4) ProxyExpressEnable on ProxyExpressDBMFile /path/to/mapfile As a Handler ( ) <FilesMatch \.php$> # Unix sockets require or later SetHandler "proxy:unix:/path/to/app.sock fcgi://localhost/" </FilesMatch>

17 Load Balancing/Traffic Distribution network - Martin Abegglen - CC BY-SA

18 Load Distribution byrequests Perform balancing based solely on requests served bytraffic Perform balancing by byte count (in response body) served bybusyness Perform balancing based on how many pending requests exist for a backend heartbeat??? Perform balancing based on What mod_heartbeat tells us Some rumblings of what is coming

19 Load Distribution Asymmetric distribution loadfactor option for BalancerMember higher number == higher load +H option for hot-standby Disables worker until others are unavailable Don t forget lbset as another option Selective proxying using! and ordering Do not proxy certain paths

20 Example: Weighting <Proxy balancer://mycluster> BalancerMember loadfactor=2 BalancerMember smax=10 loadfactor=2 #Less powerful server fewer requests BalancerMember smax=1 loadfactor=1 </Proxy> ProxyPass / balancer://mycluster/ stickysession=jsessionid

21 Example: Hot Standby <Proxy balancer://hotcluster> BalancerMember BalancerMember #Hot standby BalancerMember status=+h ProxySet lbmethod=bytraffic </Proxy> ProxyPass / balancer://hotcluster/

22 Example: Selective Proxying <Proxy balancer://appcluster1> BalancerMember BalancerMember </Proxy> <Proxy balancer://appcluster2> BalancerMember BalancerMember </Proxy> ProxyPass /static/! ProxyPass /applicationa/ balancer://appcluster1/ ProxyPass /applicationb/ balancer://appcluster2/ ProxyPass / balancer://hotcluster/

23 Worker Statuses Disabled (D) Worker is disabled and will not accept any requests. Stopped (S) Worker is administratively stopped. Ignore Errors (I) Will always be considered available. Hot Standby (H) Will only be used if no other viable workers are available. Error (E) Will not be used due to error. Drain (N) Will only accept existing sticky sessions for its route. Redirect* New requests without sessions will go here.

24 Sticky Sessions Gecko VinceFL - CC BY-NC-ND

25 Session Persistence Session replication can be expensive Built-in (as designed) mod_proxy_balancer includes facilities to do this Not always compatible or easy Roll your own Use the built-in functions but tweak to your liking Route parameter comes into play

26 A Sticky Matter Many different formats for session identifiers based on backend. Cookies, URLs, formats, etc You have to know a lot Name of the cookie Values contained Built-in is not 100% compatible. (2.2) Requires dot or semicolon as a delimiter (2.4) stickysessionsep can be anything

27 Universal Sticky!!! LoadModule headers_module modules/mod_headers.so <Proxy balancer://danielcluster> BalancerMember route=mercury BalancerMember route=venus ProxySet stickysession=danielsapp_sticky </Proxy> Header add Set-Cookie "DanielsApp_STICKY=sticky.%{BALANCER_WORKER_ROUTE}e;path=/;" env=balancer_route_changed ProxyPass /daniel/ balancer://danielcluster/daniel/

28 Connection Pooling/TCP and SSL Offload Quiet Cove pool at night - Ricky Brigante - CC BY-NC-ND

29 Get in the Pool So easy it is almost automatic Parameters max hard maximum smax soft maximum (aggressive TTL cleanup) ttl time allowed to be idle Other parameters come into play Complications... TCP/HTTP Keepalive

30 Example: Connection Pooling <Proxy balancer://mycluster> BalancerMember smax=7 max=10 ttl=10 BalancerMember smax=7 max=10 ttl=10 </Proxy> ProxyPass / balancer://mycluster/

31 Leave the Tough Stuff to Me Funnel all traffic into the pipeline Many requests <-> one backend connection keepalive is a beautiful thing SSL benefits as well HTTPS to HTTPD Can run HTTP or HTTPS to backend Either will be more efficient! Node.js use case

32 Failover/Health Monitoring Doctor Visit - Laura Smith - CC BY-NC-ND

33 Failure Detection Failover capability for connection only Connection errors fail over to next backend seamlessly. SSL errors go back to user.... and are taken out of service as of Hung/slow backend errors go back to user.... but can be taken out of service as of /2.4.5 with failontimeout.

34 I Don't Feel So Well No heath check capability Requires real, live traffic Must come up with a way to work around it In the future... Scratch your own itch, Daniel!

35 Mitigating Controls connectiontimeout Sets the number of seconds to wait for a TCP connection. ProxyTimeout and failontimeout Fail faster and mark the backend out of service Warning - this may be bad for you Failonstatus Mark a backend out of service if a specific HTTP status code is found Monitoring Create external monitoring to force traffic through HTTPD.

36 Dynamic Modification The Pleasant Glow of Good Music - Bob Prosser - CC BY-NC-ND

37 Doing the Shuffle BalancerManager is how one modifies members. Good selection of parameters Balancer sticky identifier, timeout, failover, failover attempts, lbmethod Workers can be added if growth is set Workers can not be removed Worker loadfactor, lbset, route, redirect ignore errors, draining, disabled, hot standby Be safe out there

38 Lay Thine Eyes Upon It!

39 Balancer Manager Errata Nonce usage Set the nonce or use "None" for scripting XML output Useful for machines REST-like (todo) b, w and nonce parameters part of URL Persistance over restart (2.4.4) Will write state before shutdown Be careful out there

40 Shaping Pottery - o.lila - CC BY-NC-SA

41 Traffic Tweaking Caching via mod_cache Too much to cover here. Compress via mod_deflate Shape via... mod_proxy_html, mod_headers, mod_rewrite, mod_substitute, mod_sed mod_env/mod_setenvif, mod_expires, mod_*filter Watch with mod_dumpio The sky is the limit!

42 Example: Traffic Shaping ProxyPass /app balancer://mycluster/appl ProxyPassReverse /app balancer://mycluster/app <Location /app> AddOutputFilterByType SUBSTITUTE text/html Substitute "s n" RequestHeader set environment production AddOutputFilterByType DEFLATE text/html text/xml </Location>

43 Security Learning the hard way - Ludovic Bertron -CC BY

44 Not in MY House... Security modules mod_noloris, mod_security, etc Separation Tiered approach Standards enforcement Filtering/Blocking/Restricting Allow from certain hosts Authn/Authz modules The sky is (still) the limit!

45 Questions? Scenarios? Feedback: druggeri <at> apache.org Download me: